Many network systems can be remotely accessed. Through remote access, individuals can connect to the network system to access resources and obtain information while being located at a remote site. A popular method of providing remote access to a network is through the use of a dial-in network access server (NAS) that controls access to the network. For example, network access server model AS5300, commercially available from Cisco Systems, Inc., can be used to provide dial-in access to a network system. Individuals can access the network system by dialing into the network access server from a Remote Node to establish a connection. In this document, the term Remote Node refers to any client device, such as a personal computer (PC) or router, that can be used to dial in and establish a connection with a network access server. A client/server relationship exists between the Remote Node and the network access server.
To establish a connection with a particular NAS, a user interacts with the user's client computer to cause its modem to dial into the NAS. As part of the dial-in process, the client provides identification information, typically in the form of username/password information, to the NAS as part of a login dialogue. As a result, the NAS establishes a session for the particular user. In this context, a session is a specific connection that has been established for a particular user between a Remote Node and a server and which provides access to a network system. A session is generally identified by the numeric values of a remote port, remote IP address, local port, and local IP address. Once a session is established, the user can access network resources and information.
Controlling and monitoring the number of users or groups of users who are able to login and establish a session with an NAS can be important. For example, Internet Service Providers (ISPs) are in the business of allowing customers to login and establish sessions with an NAS to obtain access to resources that are available on the Internet. Several ISPs and Online Services, such as America Online® and CompuServe®, also provide their customers with access to proprietary information (such as proprietary databases and forums) and other online services that are available through their NAS connections. The ISPs and Online Services charge their customers a connection fee that is typically on an hourly connection or monthly flat fee basis. Thus, because their revenue is dependent on fees paid by their customers, ISPs and Online Services need to monitor and control the users or group of users that login and establish sessions with their NASs.
To reduce loads and better serve customers, ISPs and Online Services typically have a large number of NASs. In addition, because their customers may not be in a particular region, many ISPs and Online Services have distributed their NASs across wide geographic regions. A benefit of such distribution is that many customers may dial in and establish a session by a local call. Customers do not need to make a long distance call, and the ISPs and Online Services do not need to provide an “800” number to reduce their customer's connection costs.
However, a drawback with maintaining multiple NASs is that it can be difficult to control the actual number of sessions that are established by a particular user or group of users. A greater number of sessions may be established for a particular user or group of users than is actually authorized (“over-subscription”). For example, a company “A”, who has employees located in five (5) cities (e.g., San Diego, Los Angeles, San Jose, San Francisco and Sacramento) may require and have paid (“subscribed”) for a total of one hundred (100) sessions for its employees. If an NAS is located in each of the five cities, and each NAS allows a total of 100 sessions to be established by the employees of company “A”, then a total of 500 sessions may actually be established by the employees of company “A”, 400 of which are unauthorized. Thus, with multiple NASs, a large number of unauthorized sessions may be established. These unauthorized sessions can potentially represent a significant amount of lost revenue for the ISP. Also, because only a limited number of connections can be made with any one NAS, allowing a large number of unauthorized sessions to be established can significantly reduce the number of authorized sessions that can be established at particular one time.
One method of controlling the number of unauthorized sessions is by assigning a subset or portion of the authorized sessions to each of the NASs. For example, by dividing, between each of the NASs that are located in the different cities, the 100 sessions that are authorized to the employees of company “A”, a total of 20 sessions can be established with each NAS. Thus, the employees of company “A” will be limited to at most the 100 authorized sessions between the NASs in the five different cities.
However, a drawback with this approach is that an employee who is located in a particular city may be denied a session with a the local NAS even though the total number of authorized sessions has not yet been established (“under-subscription”). For example, assume that 100 sessions have been authorized for the employees of company “A”, and that each NAS in one of five cities is authorized to establish a maximum of 20 sessions. Assume further that a total of 20 sessions have already been established by the employees of company “A” with the NAS located in San Jose, but only 10 sessions have been established with each of the other four NASs in the other cities. A request to establish a session with the NAS in San Jose will be denied even though the authorized session limit of 100 has not yet been reached. Thus, splitting the number of authorized sessions between different NASs can produce the unwanted side effect of denying a valid connection request.
Another approach is to identify a central NAS that is used to control the number of sessions that can be established by a user or group of users at any one time. This approach assures that a connection request will not be denied even when the total number of authorized sessions has not yet been reached. Thus, before a NAS can establish a session, it must first communicate with the central NAS to determine whether the maximum number of authorized sessions has already been reached for the particular user or group of users. If a maximum number of sessions have already been established, then the connection request is denied. Conversely, if central NAS indicates that the maximum number has not yet been reached, then the connection request is granted.
However, a serious drawback is associated with always having to communicate with a central NAS to determine whether a connection request should be granted to a particular user or group of users. This approach requires a significant amount of additional communication overhead to determine whether a connection request should be granted. This overhead can significantly degrade the response time for establishing sessions to a network system.
For example, assume that the central NAS is in San Jose. Whenever a connection request is received by the NAS located in San Diego, the San Diego NAS must first communicate with the San Jose NAS to determine whether an additional session may be established for the particular user or group of users. Upon receiving the message, the San Jose NAS must determine whether the total number of authorized sessions have already been established for the particular user or group of users. The San Jose NAS must then send a message to the San Diego NAS indicating whether the session should be granted. The communication overhead that is required in communicating with a central NAS each time a connection request is received can significantly increase the amount of time that is required to establish a session with a non-central NAS. In addition, in larger systems where dozens or even hundreds of NASs are used to provide access to a network system, the delay caused by using a central NAS can dramatically increase the amount of time that is required to establish a session.
Based on the foregoing, there is a clear need for a mechanism that can be used to control and manage the number of sessions that can be established with a network access server by a particular user or group of users for accessing a network system.
There is also a clear need for a mechanism that can reduce the communication overhead that is typically required in controlling the number of users or group of users that can establish a session with a set of network access servers for accessing a network system.